Directors & Officers: just because they don’t perform technical or operational work, doesn’t mean they aren’t personally involved

Abstract

In spite of the fact that modern information security and privacy attacks are now reaching epic proportions, and also gravely damaging both business and government, there remains a widespread misconception amongst the ranks of directors and officers. That misconception holds that they – the directors and officers – don’t need to personally get involved in this vitally important area. The truth is that just because they don’t do hands-on technical or operational work, that doesn’t mean they aren’t required to play a critically important role addressing these issues. Their required participation is clearly and irrefutably in evidence in authoritative legal sources such as laws, regulations, court opinions, settlement agreements, etc. The hands-off attitude, this distance from the urgency and difficulty of dealing with the problems, has unfortunately had many serious and damaging consequences. For example, the directors and officers at Equifax recently settled a breach-related lawsuit with plaintiff lawyers, to the tune of $149 million (2020, See In Re Equifax Inc. Securities Litigation, U.S. Dist. Ct. (N. Dist. Georgia, 2020), Consolidated Case No. 1:17-cv-03463-TWT). That lawsuit was based on an Equifax 2017 breach where the credit reports of some 143 million customers were disclosed to unauthorized parties. Before that, the directors and officers at Yahoo! settled a shareholders’ derivative action to the tune of $29 million (2019, For specifics, see In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2019 U.S. Dist. LEXIS 15034 (2019)). The latter lawsuit was based on several breaches at Yahoo! between 2013 and 2016 involving the release of sensitive user information, and then concealment from investors of the facts about those breaches. These and other recent cases make it clear what the scope of the role, for directors and officers, is now being illuminated. To be specific, their role is in fact now sufficiently clear and documented that it can be used as a reference point in various tasks, such as independent audits that green-light certain high-risk transactions. This reference point can also be used for a number of critical governmental actions, such as annually approving the actions taken by corporate senior management in response to a consent decree. Illustrating the contours of this new role, this article provides a brief overview of the minimum legal obligations of corporate directors and officers when it comes to information security and privacy.